Tag Archives: Web Interface

Citrix XenApp and Web Interface – from authentication to application launching (yes, yet another one)

One of the most frequent questions that colleagues and customers ask me is ‘Hey… but… wait a minute, who does authenticate the user? Is that the Web Interface or something else? ’

Yes, it’s true, there is plenty of documentation out there that explains how the XenApp logon process works, but I always struggled to find a document concise and clear enough that explains in details (but not too many) how the authentication process works and what are the services and components involved.

One great document available on line is the ‘The Excruciating Detail of the XenApp Logon Process’ published on brianmadden.com, that’s a very detailed document, but sometimes it’s a bit ‘difficult’ to read for people who need a quick answer or for non-so-technical people.

In this article I wanted to summarize the logon and application launching process by focusing on four main phases:

Phase 1: User Authentication

Phase 2: Resource Enumeration

Phase 3: Resource Resolution

Phase 4: Resource Launching

This document is not meant to be ‘an official guide’ about how it works (there are plenty of Citrix documents that do that), it is just meant to help whoever needs to have a quick and detailed overview of such process. There may be errors in it, so feel free to add any comments or correct me if I’m wrong.

The majority of the information contained here comes from this great Citrix video: Web Interface Logon and Application Launch Process for XenApp

 

Phase 1: User Authentication

User Authentication

1. User launches web browser and types in the WI URL

2. Then he connects to web interface

3. Web interface returns a logon page

4. User types his credentials

5. The credentials are forwarded to the XML service (in the http or HTTPS format)

6. Then to the IMA service

7. The IMA service then forwards the credentials to the ‘Local Security Authority Service (Lsass.exe), which in turn encrypts these credentials and passes them to the domain controller

8. The Domain Controller returns the user’s SID and a list of groups’ SIDs back to the Lsass service, and then back to IMA

 

Phase 2: Resource Enumeration

Resource Enumeration

9. IMA uses these SIDs to look into the Local Host Cache on the server for a list of application and the ‘worker group preference’ policy for this authenticated user

10. Then the list of applications, along with the ‘worker group preference’ policies are returned by the IMA service to the Web Interface (through the XML service)

11. Web interfaces then uses its java objects to create a web page that contains the application list for the user ; the user’s ‘worker group preference’ policy is cached in the web interface’s memory

12. The web page is then presented to the user’s browser, thus completing the ‘Resource Enumeration ’ phase

 

Phase 3: Resource Resolution

Resource Resolution

13. Then the user selects a particular application from the applications list

14. The selected application’s data is passed back to the web interface, which in turns passes these information to the XML and IMA services along with the ‘worker group preference’ policy

15. These information are then forwarded to the zone data collector’s IMA service, which then :

a. tries to find the least loaded server according to the ‘worker group preference’ policy

b. when it finds a server sends a query to the ‘Citrix Services Manager’ of that server to verify whether or not such server has the requested application installed

c. if the answer is yes, it forwards that server’ host ID to the XML broker

16. The XML broker then translate this host ID into its IP address by searching the server’s ‘local host cache’, the IP address is then provided to the Web Interface, thus completing the Application Resolution phase

 

Phase 4: Resource Launching

Resource Launching

17. The web interface will then take this IP address and creates an ICA file, which is then returned to the users’ web browser

18. Then the Citrix plugin, located on the client, uses the information included in the ICA file to launch an ICA connection on the least loaded server

19. The server then launches the application, which is then presented to the user through the ICA channel

 

More information can be found here:

http://support.citrix.com/article/CTX129589  (Web Interface Logon and Application Launch Process for XenApp)

http://support.citrix.com/article/CTX134979 (High Availability for Citrix XenDesktop and Citrix XenApp – Planning Guide)

http://www.brianmadden.com/blogs/gabeknuth/archive/2008/08/14/briforum-video-the-excruciating-detail-of-the-xenapp-logon-process.aspx (The Excruciating Detail of the XenApp Logon Process)